'Even a new Barbie has the ability to spy on you'
Household items, like digitalrecorders and webcams, were used in last weekend's huge cyberattack. John Meagher looks at the dark side of the rapidly expanding - and entirely unregulated - 'Internet of Things'.
It was a cyberattack that may spell the shape of things to come. On Friday of last week, several of the world's leading websites, including Facebook, Twitter and PayPal, were disabled. Spotify, The New York Times and the Guardian were also affected in an outage that was mainly felt along the US east coast, but also in parts of Europe.
All are customers of Dyn, an infrastructure company in New Hampshire that acts as a switchboard for internet traffic. What made this particular attack remarkable was that the hackers used everyday devices like webcams and digital recorders.
Rather than prey on desktop computers and laptops, they had targeted the sort of "smart" devices that have become increasingly commonplace in our homes. It captured the popular imagination because it illustrated the security vulnerabilities of all those wi-fi-connected TVs and video cameras, fridges and weighing scales, that have fuelled so much of the consumer spend this decade.
Put simply, such gadgets - and many others set to be snapped up this Christmas - can be vulnerable to viruses and malicious software that can turn them into veritable weapons in the cyberwars. And all without their owners' knowledge.
Last weekend's attack saw hundreds of thousands of hacked devices being exploited to jam and take down internet computer services. Hackers used internet-connected devices that had previously been infected with a malicious code - known as a "botnet" - to force an especially potent distributed denial of service (DDoS) attack.
The aim of a DDoS attack is to overwhelm an online service with traffic from multiple sources, rendering it unavailable. In layman's terms, it's the equivalent of calling every phone in an office building simultaneously. Dyn said attacks were coming from millions of internet addresses, making it one of the largest attacks ever seen.
If it was a surprise to the general public, there was no shock for Conor Flynn, a leading cybersecurity expert.
"We've been banging the drum about this for a number of years," he says. "Many of these consumer devices don't have the correct protections in place. There's been a rush to create smart products, as inexpensively as possible."
It is, for now, an entirely unregulated market.
And it's a market that is growing rapidly. The clunky descriptor, Internet of Things (IoT), came into the vernacular less than 10 years ago but now it's estimated that there are in the region of 6.5 billion such devices worldwide.
Flynn, MD of Information Security Assurance Services, says that while many of these products help to make our lives better, they can be all too vulnerable to being hacked.
"People go into high street retailers and buy big-name products and assume there won't be a problem with security, but that's not a good assumption to make."
Not that many consumers give such detail a second thought. In his experience, there's widespread ignorance about how easy it can be for IoT devices to be abused in the wrong hands.
It's a sentiment echoed by Paul C Dwyer, MD of Cyber Risk International.
"There are search engines," he says, "where you can look up details of your neighbour's video cameras. It doesn't take great technical know-how to be able to hack into someone else's devices."
Amateurs are already interested in easily compromised hardware with computer programmer John Matherly running a controversial search engine, Shodan, which indexes thousands of completely unsecured web-connected devices.
The US hack-attack demonstrated just how vulnerable we have become thanks to unregulated technical progress.
"The Internet of Things has become everything you can think of," Dwyer says.
"Cat-litter trays, baby-cams, fridges, coffee makers - the list goes on. People buy them and don't think about their capabilities, or how connected they are.
"The internet was designed as a resilient network, but not a secure one.
"These latest attacks highlight the vulnerability and dependency we have on the internet in today's world."
Dwyer believes we're only in the infancy of how IoT can play a part in the hackers' warfare and says it's expected that a quarter of all cyberattacks will involve such devices by 2020.
Cybersecurity specialist Brian Honan of BH Consulting says Samsung TVs are a case in point.
According to the Korean giant's user policy, if purchasers of its smart TVs opt to use the voice-recognition feature, your spoken words - including anything of a sensitive nature - can be passed on to a company, Nuance, which specialises in voice recognition.
"Please be aware," reads its policy, "that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through voice recognition."
Trevor Timm, director of the US-based Freedom of the Press Foundation, points out that several other gadgets and devices boast similar capabilities. "While Samsung took a bunch of heat, a wide array of devices now act as all-seeing, or all-listening devices, including other television models, Xbox Kinect, Amazon Echo and General Motor's OnStar program that tracks car owners' driving patterns.
"Even a new Barbie has the ability to spy on you. It listens to Barbie owners to respond but also sends what it hears back to the mothership at Mattel."
Honan says burglars of a more sophisticated hue have attempted to hack into cameras in order to help them with robberies, and their cause can be helped by the fact that consumers sometimes neglect to change the default password to one of their own. That was partly the case in the US last weekend, although Conor Flynn points out that several of the products had in-built passwords that could not be altered by the consumer. Some of these have now been subject to a recall by their manufacturers.
He says the EU's General Data Protection Regulation (GDPR) will help to regulate the industry when it comes into effect in May 2018, but in the meantime, products are coming on the market that have the potential to be easily hacked. "In some respects, what happened in the US was bland in terms of outcome, but it shows what can be done."
And it's not just hugely disruptive hacks that concern him. On a micro level, people are leaving themselves vulnerable to crime thanks to their dependence on smart products. "Cameras can easily be taken control of," he says, "and in some cases, the hacker can access the PTZ (pan, tilt and zoom capability) to enable them to 'look around'."
The irony, he points out, is that the very tool that people feel is helping to make them feel safe and secure, can - in the wrong hands - be turned against them.
Meanwhile, it is still not known who was behind last Friday's attack, although a tweet from WikiLeaks implied that some of its supporters may have been responsible. Others believe the attack may have been orchestrated by a country keen to cause disruption in the West.
One of the world's foremost security experts, Bruce Schneier, last month wrote that "China or Russia" was "learning how to take down the internet".
He claimed "a large nation state" had been testing increasing levels of DDoS attacks against unnamed core internet infrastructure providers in what seemed like a test of capability.
What's certain, Conor Flynn believes, is that there will be new and more severe cyberattacks. "It's not a case of if, but when. There aren't many certainties in life, but that's one, unfortunately."